Star/fork: Java-interview-Tutorial github.com/Wasabi1234/…

Xx software finally requests the article in my public account through access token. The access token is traded with an authorization code. Have you ever wondered why you trade authorization codes for tokens instead of issuing access tokens directly?

OAuth 2.0 role

Resource owner, client (that is, third-party software), authorized service, and protected resource.

  • Resource owner => Me
  • Client => XX software
  • Authorized services -> Authorized services of the public account open platform
  • Protected resources -> Articles in my official account

Do I have to have an authorization code?

Step 4 authorizes the service to generate the authorization code, which returns the access token if we don’t want itaccess_token. Redirects cannot be done because they expose highly secure access tokens to the browser, increasing the risk of access token theft. This obviously does not work! Without an authorization code, the access token can only be issued to the back-end service of third-party software:

Doesn’t look like a problem? I visit xx software, XX software said to typesetting articles I have to give it authorization, or VX public number do not do, and then XX software will guide me to jump to the public number of authorization services. After arriving at the authorization service, the open platform verifies the validity of XX and my login status, and generates the authorization page. I quickly scan the code and agree to authorize, so the open platform knows that I can give my article data to XX software.

Thus, the open platform generates the access_token and returns it to xx software by way of back-end service. Xx will work normally.

However, when I am redirected to the authorization service by the browser, the connection between ME and XX is broken, which means that after I establish a connection with the authorization service, I will always “stay in the authorization service page”. I never reconnected to XX.

But at this time, XX has got my authorized access token and also used the access token to obtain the article data in my number. At this point, consider how I feel. Xx should inform me, but how? Now the connection is broken! In order for XX to notify me, I have to re-establish a “connection” with XX. For the second redirect, I authorize it and then redirect it back to the address of XX, so THAT I have a new connection with XX.

To rebuild the connection without exposing the access token, there is a temporary, indirect credential: an authorization code. Because XX ultimately needs to obtain the high-security access token, not the authorization code, which can be exposed in the browser. With authorization codes, access tokens can be transmitted between back-end services while reestablishing the connection between me and XX. So, through the authorization code, both my user experience and communication security are considered.

How exactly does the authorization code and access token flow between XX and the authorization service when executing the authorization code process?

The communication process of license type

Indirect communication

Indirect communication refers to the interaction of obtaining an authorization code.

Me: “XX, I want to visit you.”

Xx: “I’m directing you to the authorization service, and I need the authorization service to give me an authorization code.” Authorization service: “XX, I sent the authorization code to the browser.” Rabbit software: “that I got authorization code from the browser.”

There is no direct communication between XX and the authorized service, but rather an intermediary (browser).

Direct communication

The exchange of authorization codes for access tokens is “direct”.

After obtaining the authorization code, the third-party software XX initiates a request to the authorization service to obtain the access_token.

The authorization service is responsible for issuing the access token, and the protected resource is responsible for receiving and verifying the access token.

Develop wechat applet scenarios

For example, the process of obtaining user login status information:

  • throughwx.login(Object object)To obtain the login certificate code, this step is achieved by calling the SDK provided by wechat inside the small program
  • Then exchange the user’s session_key and other information through this code, that is, the official documentauth.code2SessionMethod, which is also strongly recommended to be invoked through the developer’s back-end service

reference

  • Leokongwq. Making. IO / 2017/02/28 /…

  • Developers.weixin.qq.com/miniprogram…

  • Segmentfault.com/q/101000001…

  • Tools.ietf.org/html/rfc674…